Thursday, January 14, 2016

Different Types of DoS Attacks



A DoS or Denial of Service Attack is an attack for the purpose of making a target machine or network resource unavailable for its intended users. This attack mainly temporarily or indefinitely suspend a service of a host connected to internet. As a result, you may see:
  • Unusually slow network performance.
  • Unavailability of a particular website.
  • Dramatic increase of number of spam emails received.
  • Disconnection of internet connection.

The effects can be sometimes long term or even for indefinite time.





There are different types of DoS Attacks. Let's understand what each type of DoS Attack does :


Distributed Denial of Service Attack or DDoS Attack – DDoS Attack is an attack in which the attack comes from multiple sources having different IP addresses. Using IP address spoofing, the attackers normally hide their own IP addresses, making it extremely hard to catch the attacker.


UDP Flood Attack – UDP Flood Attack is an attack which floods random ports of a remote host with a large number of UDP packets. This makes the host to repeatedly check the application which is listening to the port and to reply with ICMP Destination Unreachable packets when no application found. As a result, the host ends up exhausting considerable amount of its resources and leads to a DoS Attack.


Internet Control Message Protocol Flood or ICMP Flood – Smurf Attack is this type of attack. In these attacks, the attacker sends lots of ICMP broadcast packets forging the source address of the victim. As a result, all the computers in the network send overwhelming number of replies to the victim computer. As a result, the victim computer ends up consuming all its network banwidth in sending replies and its resources become unavailable for legitimate purposes

Ping Flood - In this attack, the attacker sends a large number of ICMP Echo Request or ping packets to the targeted victim's IP address, mostly by using the flood option of ping. As a result, the victim's machine starts responding to each ICMP packet by sending a ICMP Echo Reply packet and ends up exhausting all its network bandwidth, resulting in a DoS attack.

Ping of Death – A correctly formed ping packet is typically 56 bytes in size. But any IPv4 packet may be as large as 65,535 bytes. If the attacker sends a malformed very large ping packet to the victim's IP address, the IP packet will reach the targeted victim splitting into multiple fragments. When the victim's machine will reassemble the IP fragments, it will end up with IP packet larger than 65,535 bytes. As a result, the victim's computer cannot handle that properly and a buffer overflow will happen. It can result in a system crash and potentially allowing the injection of malicious code. This type of attacks are called Ping of Death.


SYN Flood - In a SYN Flood, the attacker sends an enormous number of connection request to the victim server, often forging his IP address. As a result, the victim server ends up spawning lots of half open connections, sending back a TCP/SYN-ACK packets and waiting for the response. But as the attacker has forged his IP address, the sent packets end up going to wrong IP addresses and the server never gets a reply. But, these half-open connections saturate the maximum number of open connections the server can have and the server can no more respond to legitimate requests, resulting in a DoS attack.

Other Application Level Flood - In this sort of attacks, the attacker floods the victim machine with legitimate looking requests like database lookup, search requests etc. It exploits few conditions like buffer overflow, and fills up the disk space of the victim machine or consume all its memory and CPU cycles. As a result, the victim machine ends up exhausting all its computational resources and results in a DoS Attack.


Banana Attack – In this attack, the attacker redirects outgoing messages from the victim machine back to the machine itself. As a result, the machine ends up exhausting its own network bandwidth and becomes inaccessible to outside network access, resulting in a DoS attack.


Slowloris – In this attack, the attacker's computer opens many connections to the victim machine's webserver and try to keep them open as long as possible. It mainly opens connections to the victim web server and sends partial request. Periodically, it sends subsequent HTTP headers, but never completes those requests. As a result, the victim webserver keeps maximum possible connections open and becomes inaccessible for legitimate connection requests.


NTP Amplificaion Attack – NTP or Network Time Protocol is a protocol used by machines connected to the internet to set their clocks accurately. These NTP Servers are publicly accessible and can easily be found with tools like MetaSploit and NMAP. NTP Amplification Attack is an attack in which the attacker exploits these publicly available NTP Servers and sends lots of UDP packets to the victim machine. As a result, the victim machine ends up sending long replies which exhausts its resources.


HTTP Flood – HTTP Flood Attack is an attack in which the attacker sends lots of legitimate looking malicious HTTP GET or HTTP POST requests to a webserver. These requests consume significant amount of server's resources. As a result, the webserver ends up exhausting its resources and results in a DoS attack.


Zero-day DoS Attack – In this type of attacks, the attacker exploits vulnerabilities of a software for which no patch is yet released and performs the DoS attacks. This is quite a popular attack for attackers.


DNS Amplification Attack - In this attack, the attacker sends lots of DNS query to a DNS server, but forges the IP address of the victim machine as source IP address of all the query packets. As a result, the DNS server ends up sending all the responses to the victim machine. As DNS responses are much larger in size, the responses end up flooding the victim machine with responses and consuming its bandwidth.


CHARGEN Attack – CHARGEN is a character generation protocol that listens to port 19 of TCP or UDP and continues to stream random characters until the connection is closed. For UDP, it responds to a request with up to 512 byte response. In CHARGEN Attack, the attacker sends lots of request with spoofed IP addresses and floods the victim machine with UDP traffic at port 19, resulting in a DoS attack.


DrDoS Attack or Reflection DoS Attack - In this attack, an attacker spoofs his IP address, and sends lots of request messages to other hosts of the network. As the attacker uses the victim machine's IP address as the source IP address of the outgoing request messages, all the other hosts sends a response to the victim machine. At this point, if the attacker has much higher bandwidth than the victim machine, the victim machine gets lots of responses which uses up all its network bandwidth. As a result, victim machine becomes no longer available for legitimate requests, resulting in a DoS attack.


SSDP Reflection Attack – SSDP or Simple Service Discovery Protocol is a protocol which enables network devices to smoothly connect with each other. It is part of the Universal Plug and Play or UPnP protocol standard and is used to connect devices such as computers, printers, internet gateways, Wi-Fi access points, mobile devices, cable modems, gaming consoles etc. In SSDP Reflection Attack, the attacker sends lots of falsified request messages and redirects the amplified responses to the victim machine. As a result, the victim machine gets flooded with the responses, resulting in a DoS attack. The concept of this attack is pretty new and it first appeared in July, 2014.


SNMP Attack – SNMP or Simple Network Management Protocol is a protocol which is used to manage devices with IP addresses, such as routers, servers, printers, IP video cameras, alarms etc. These devices transmits sensor readings and other variables over the network using this protocol. In SNMP Attack, the attacker sends falsified SNMP requests and redirects the responses to the victim machine, flooding it with responses and thus it results in a DoS attack.


SSL Flood - When a server provides a secure connection to a client, normally it involves a large amount of processing cycles from the server's side. This type of attacks exploits that scenario. The attacker requests lots of secure connection to the server, and the server loses its processing cycles to respond to the illegitimate connections, not being able to respond to the legitimate ones.

SSL Garbage Flood – In SSL Garbage Flood, the attacker sends lots of malformed SSL requests to the victim machine. As these SSL requests takes lots of computational resources of the SSL server, the victim machine ends up exhausting all its resources, resulting in a DoS attack.


TCP Null Attack - In this attack the attacker sends lots of IP packets to the victim machine with the IPv4 headers filled with NULL. The firewalls configured for TCP, UDP and ICMP packets may allow these packets. As a result, the enormous amount of these packets flood the victim machine, consuming its bandwidth.

LAND Attack - It is a Local Area Network Denial attack. In this attack, the attacker sends a TCP SYN packet to initiate a TCP connection with the victim machine. But the attacker uses the victim machine's IP address as both source and destination address. As a result, the victim machine ends up replying to itself continuously, consuming all its processing power and resulting in a DoS attack.

Teardrop Attacks - In this attack, the attacker sends a mangled IP packet, with oversized and overlapping payloads, to the victim. If the Operating System of the victim's machine cannot handle it properly, the machine will end up crashing, resulting in a DoS attack.

Peer-to-Peer Attacks - In this attack, the attacker gets control over the clients of a peer-to-peer file sharing hub. He instructs the clients to disconnect from their peer-to-peer network and connect to the victim's machine instead. This results in hundreds of thousands of connection request to the victim machine. As a result, the victim machine ends up exhausting all its computational resources, resulting in a DoS attack.

Slow Read Attack - A Slow Read Attack sends a legitimate application layer request to the victim machine, but it reads the responses from the machine very slowly. The attacker advertises a very small number for the TCP Receive Window size and empties the victim machine's receive buffer slowly.

Smurf Attack – In Smurf Attack, the attacker creates lots of ICMP packets with the intended victim's IP address as source IP address of those packets and broadcasts those packets in a computer network using an IP Broadcast address. As a result, computers in the network sends the responses to the victim machine. And, the victim machine gets flooded with the responses, resulting in a DoS attack.


Fraggle Attack - This type of attack is similar to Smurf Attack, but instead of ICMP traffic, the attacker sends large number of forged UDP traffic to the victim machine.


Knowing about the possible attacks is the very first step towards protection against it. So, beware of all the vulnerabilities, so that you can protect your system in a better way. And, stay safe, stay protected.

No comments:

Post a Comment